In a number of countries — Hungary, Lebanon, India and so on — banks offer a simple text message notification service and it seems to be pretty effective at cutting card fraud. When your card is used above a certain threshold (say 5 euros) then your issuer automatically sends you a post-authorisation text message containing the transaction details. If you’re sitting in your office and you suddenly get a text message concerning the purchase of a plasma TV in Ulan Batur, then you might be tempted to call the toll-free fraud helpline. It seems like a very simple and efficient mechanism for fraud reduction.
I can see a problem with it, though. Wouldn’t phishers be happy to pay 10 cents or whatever to send out a convincing text message: “if you didn’t just buy a new car in Botswana, call this number” and then when you call the number “Can I have your account number, password, mother’s maiden name” etc. Is this a realistic threat? After all, you could argue that one of the reasons why phishing is so prevalent is that e-mail is free, so the cost-benefit analysis tips heavily in favour of the bad guy. Text message isn’t encrypted or authenticated — that’s why for the M-PESA scheme in Kenya we had to design encryption and authentication into the SIM Toolkit application — so banks are right to wary about using it for certain kinds of services.
It would seem to be even cheaper, wouldn’t it, to send out the post-authorisation confirmations by e-mail but I’m not so sure about using e-mail in the same context for the same reasons. Until the banks have a working digital signature infrastructure, an e-mail notification service would attract phishers like flies. Actually, even with a digital signature service it would still attract phishers like flies.
My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]